I was wondering if Chef can use a remote_file
resource form a https source that uses self signed certificate. It doesn't seem to be able to. Documentation does not mention certificates and offer configuration for disable SSL check.
If you have a site with https with self signed certificate this can for example be reproduced with recipe that has
remote_file "/tmp/image.png" do
source "https://mywebsite.com/image.png"
end
You can of course use knife
to fetch the certificate on the target node for example as follows
vagrant@devops:~$ knife ssl fetch https://mywebsite.com/
WARNING: No knife configuration file found
WARNING: Certificates from mywebsite.com will be fetched and placed in your trusted_cert directory (/home/vagrant/.chef/trusted_certs).
Knife has no means to verify these are the correct certificates. You should verify the authenticity of these certificates after downloading.
This doesn't seem to do much/anything. Chef will continue to show message
==> default: [2015-06-08T06:30:33+00:00] ERROR: remote_file[/tmp/image.png] (jenkins::remote_file_test line 1) had an error: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Maybe this is a bug? It seems that Chef is ignoring the trusted certs.
Is there a workaround for this? Can we make Chef trust the cert somehow?
Update Correct answer was given by Tensibai. See his comment.
I use
certificate
cookbook to install my self signed certificates. So my solution was based on that. In my recipe I usecertificate_manage
to install certificate which is stored in encrypted data bag.Then I can add certificate to
cacert.pem
with something like